Security's Role in Handling Layoffs

The economic crisis has Michael Hamilton worried about worst-case scenarios. One of those isn't losing his job. But as CISO for the City of Seattle, he has to worry about everybody who does lose their jobs.

Slideshow: Most notable IT layoffs of 2009
Podcast: 5 Ways Employees Can Sabotage Your Network

Laid-off employees could have access to systems that control local utilities, water purification systems, transport systems, public safety systems-Seattle even runs its own municipal power, meaning that it has systems in place that control dams all the way into Eastern Washington.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

The economic crisis has Michael Hamilton worried about worst-case scenarios. One of those isn't losing his job. But as CISO for the City of Seattle, he has to worry about everybody who does lose their jobs.

Slideshow: Most notable IT layoffs of 2009
Podcast: 5 Ways Employees Can Sabotage Your Network

Laid-off employees could have access to systems that control local utilities, water purification systems, transport systems, public safety systems-Seattle even runs its own municipal power, meaning that it has systems in place that control dams all the way into Eastern Washington.

"The top impact is always the loss of life-that's the worst thing that can happen," says Hamilton. Most data breaches (take this one, for instance) by comparison look merely like an annoyance.

Not that it would be a cheap annoyance to lose data-the Ponemon Institute estimates that each record lost would cost a company $202, not to mention brand equity. Nor does Hamilton take the potential for data breach lightly. Besides death, Hamilton has Terry Childs on his mind. Childs is the San Francisco network administrator who allegedly held the City of San Francisco's network passwords hostage and has been in jail for months awaiting trial.

In the wake of the Childs incident, he hopes the city avoids laying off network administrators or anyone else with high-level systems provisions. "It's a little terrifying" to think about, he says. There's plenty of fear going around right now. The U.S. economy is suffering one of its broadest downturns since World War II, and widespread layoffs have created the likelihood of significant security breaches. Fifty-nine percent of U.S. employees who left a firm in the last year knowingly stole data from their former employer, according to a Ponemon Institute survey of 1,000 people. (See an analysis in Laid-Off Employees as Data Thieves?)

The report, released in February, was sponsored by Symantec. Meanwhile, more than 58 percent of U.S. workers surveyed by Cyber-Ark, an identity management firm, said they would download company or competitive information if they thought they were going to lose their jobs. Granted, all these studies were funded by security companies, which have a vested interest in their outcome. Ironically, the best way to head off data theft in a time of layoffs is probably to focus on the people involved. Technology and processes often, at best, help companies monitor data theft, rather than stop it.

Behavioral Security

It's simple, says Ponemon: If you can lay employees off but still leave them with a favorable impression of their company, they are less likely to take data.

They're also less likely to come back with guns a few weeks later. The challenged state of the economy has made executives jittery about the impact of layoffs. "For the first time, I'm hearing people in crisis management meetings say, I'm scared. I want security here,'" says Kirian Fitzgibbons, director of special services at the Steele Foundation, a San Francisco firm that handles physical security and risk management. He says that firms are far more nervous about volatile employees than they were during the dotcom bust, with more requests for extra personnel at layoff sites and for extra security on executive floors. (See How to Prepare for Workplace Violence.)

Part of that is the simple scale of the downturn-Fitzgibbons says that typically Steele consults on two to three mass layoffs a year. Right now, it's doing that many a month, and sometimes in a week.

Companies should know that being laid off is not typically something that will prompt violence. "Losing your job and losing something else is what does it," say Fitzgibbons and other security consultants.

"TIP: Randazzo recommends involving red-flag employees in the layoff process, as much as possible."

Almost every company has a "red flag" employee-someone who's had run-ins with management or other employees. During layoffs, companies need to be especially careful about how these people are treated, says Marisa Randazzo, a former chief psychologist for the U.S. Secret Service and president of Threat Assessment Resources International, a security consultancy in Sparks, Nev.

"Companies may think that the bad economy makes it a good time to get rid of bad eggs, or difficult employees. But once they're no longer part of the organization, you don't have the ability to monitor their behavior nearly as well or to do intervention," she says. Indeed, companies need to recognize that problem employees often are symptoms of bad management. Randazzo tells of a laid-off worker who threw his chair through the conference room window and threatened to come back with his guns. It turns out that the company, which put on sporting events, had hired the systems administrators with the promise of attending the event they were working on. It laid off this worker and several others just two weeks before the event, with no mention of free passes to the events.

"These folks were ticked off, understandably, because they'd been promised something and it had been taken away," she says.

Of course, the vast majority of employees are not red-flag employees. But they still need to be treated with dignity.

In this economically driven layoff climate, put people first, and put yourself in their shoes, says Bruce Jones, global IT security and risk manager for Kodak. "You're not laying them off for performance, but for business conditions," he says. "You make sure you treat people accordingly."

Kodak has the layoff drill pretty much down; it's spent much of the last decade being buffeted by the shift to digital imaging.

"TIP: Get people moving forward."

Kodak typically lets employees keep basic network access for a few weeks after a layoff, to help transition their work and in case they are able to get another job within the company.

Organizations can even protect themselves from Terry Childs scenarios. Chad Thunberg, the chief operating officer at Leviathan Security Group in Seattle, says that early in his career he took over for a systems administrator who had been fired for cause. Two days later, the ex-employee hacked into the network and took down a number of important servers. It took 24 hours to get them back online. That company, like the city of San Francisco, had allowed one person to have sole control over too many systems and should have split off some of his duties, as well as designated a backup who would know all the same access and permission codes.